I have been working through part one of the VPN split tunnel guide as a novice. I have Ubuntu Server installed on a Rpi3:
When I execute the command to test the vpn user through the tunnel:
I get the same output as:
Which (as far as I know) the vpn user is not getting tunneled trough PIA.
Here is the output for the PIA service running check:
The guide is pretty straight forward and i have double checked everything. The only part I am unsure about is the "Change Reverse Path FIltering". I had to create the
file, but the guide said we would need to modify not create this file. Am I missing something?
Because of my novice ability, I do not know where to even start to see where the problem could be. I changed the verbose in the openvpn.conf to 3 (as suggested in the guide in case you have issues) but when I cat the log file i do not see anything relating to the issue.
Here are the cats of everything i made with the guide:
Any help on where to get started would be a huge help.
Code:
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial
pi@ubuntu-standard:~$
Code:
sudo -u vpn -i -- curl ipinfo.io
Code:
curl ipinfo.io
Here is the output for the PIA service running check:
Code:
pi@ubuntu-standard:~$ sudo service openvpn status
[sudo] password for pi:
● openvpn.service - OpenVPN service
Loaded: loaded (/lib/systemd/system/openvpn.service; enabled; vendor preset:
Active: active (exited) since Fri 2016-08-05 03:08:26 UTC; 20min ago
Process: 489 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 489 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/openvpn.service
Aug 05 03:08:26 ubuntu-standard systemd[1]: Starting OpenVPN service...
Aug 05 03:08:26 ubuntu-standard systemd[1]: Started OpenVPN service.
Code:
sudo nano /etc/sysctl.d/9999-vpn.conf
Code:
pi@ubuntu-standard:~$ cd /etc//sysctl.d/
pi@ubuntu-standard:/etc/sysctl.d$ ls
10-console-messages.conf 10-magic-sysrq.conf 99-sysctl.conf
10-ipv6-privacy.conf 10-network-security.conf 9999-vpn.conf
10-kernel-hardening.conf 10-ptrace.conf README
10-link-restrictions.conf 10-zeropage.conf
pi@ubuntu-standard:/etc/sysctl.d$
Here are the cats of everything i made with the guide:
Code:
}pi@ubuntu-standard:~$ sudo cat /etc/init/openvpn.conf
# OpenVPN upstart script
# HTPC Guides - www.htpcguides.com
start on filesystem and static-network-up
stop on runlevel [!2345]
respawn
exec /usr/sbin/openvpn --status /var/run/openvpn.client.status 10 --cd /etc/openvpn --config /etc/openvpn/openvpn.conf --syslog openvpn
pi@ubuntu-standard:~$ sudo cat /etc/openvpn/openvpn.conf
client
dev tun
proto udp
remote swiss.privateinternetaccess.com 1198
resolv-retry infinite
nobind
persist-key
persist-tun
cipher aes-128-cbc
auth sha1
tls-client
remote-cert-tls server
auth-user-pass /etc/openvpn/login.txt
auth-nocache
comp-lzo
verb 3
reneg-sec 0
crl-verify /etc/openvpn/crl.rsa.2048.pem
ca /etc/openvpn/ca.rsa.2048.crt
disable-occ
script-security 2
route-noexec
up /etc/openvpn/iptables.sh
down /etc/openvpn/update-resolv-conf
pi@ubuntu-standard:~$ sudo cat /etc/openvpn/update-resolv-conf
#!/bin/bash
#
# Parses DHCP options from openvpn to update resolv.conf
# To use set as 'up' and 'down' script in your openvpn *.conf:
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
#
# Used snippets of resolvconf script by Thomas Hood and Chris Hanson.
# Licensed under the GNU GPL. See /usr/share/common-licenses/GPL.
#
# Example envs set from openvpn:
#
foreign_option_1='dhcp-option DNS 209.222.18.222'
foreign_option_2='dhcp-option DNS 209.222.18.218'
foreign_option_3='dhcp-option DNS 8.8.8.8'
#
[ -x /sbin/resolvconf ] || exit 0
[ "$script_type" ] || exit 0
[ "$dev" ] || exit 0
split_into_parts()
{
part1="$1"
part2="$2"
part3="$3"
}
case "$script_type" in
up)
NMSRVRS=""
SRCHS=""
for optionvarname in ${!foreign_option_*} ; do
option="${!optionvarname}"
echo "$option"
split_into_parts $option
if [ "$part1" = "dhcp-option" ] ; then
if [ "$part2" = "DNS" ] ; then
NMSRVRS="${NMSRVRS:+$NMSRVRS }$part3"
elif [ "$part2" = "DOMAIN" ] ; then
SRCHS="${SRCHS:+$SRCHS }$part3"
fi
fi
done
R=""
[ "$SRCHS" ] && R="search $SRCHS
"
for NS in $NMSRVRS ; do
R="${R}nameserver $NS
"
done
echo -n "$R" | /sbin/resolvconf -a "${dev}.openvpn"
;;
down)
/sbin/resolvconf -d "${dev}.openvpn"
;;
esac
pi@ubuntu-standard:~$ sudo cat /etc/openvpn/iptables.sh
#! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com
export INTERFACE="tun0"
export VPNUSER="vpn"
export LOCALIP="192.168.0.10"
export NETIF="eth0"
# flushes all the iptables rules, if you have other rules to use then add them into the script
iptables -F -t nat
iptables -F -t mangle
iptables -F -t filter
# mark packets from $VPNUSER
iptables -t mangle -A OUTPUT -j CONNMARK --restore-mark
iptables -t mangle -A OUTPUT ! --dest $LOCALIP -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p udp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT --dest $LOCALIP -p tcp --dport 53 -m owner --uid-owner $VPNUSER -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT ! --src $LOCALIP -j MARK --set-mark 0x1
iptables -t mangle -A OUTPUT -j CONNMARK --save-mark
# allow responses
iptables -A INPUT -i $INTERFACE -m conntrack --ctstate ESTABLISHED -j ACCEPT
# block everything incoming on $INTERFACE to prevent accidental exposing of ports
iptables -A INPUT -i $INTERFACE -j REJECT
# let $VPNUSER access lo and $INTERFACE
iptables -A OUTPUT -o lo -m owner --uid-owner $VPNUSER -j ACCEPT
iptables -A OUTPUT -o $INTERFACE -m owner --uid-owner $VPNUSER -j ACCEPT
# all packets on $INTERFACE needs to be masqueraded
iptables -t nat -A POSTROUTING -o $INTERFACE -j MASQUERADE
# reject connections from predator IP going over $NETIF
iptables -A OUTPUT ! --src $LOCALIP -o $NETIF -j REJECT
# Start routing script
/etc/openvpn/routing.sh
exit 0
pi@ubuntu-standard:~$ sudo cat /etc/openvpn/routing
cat: /etc/openvpn/routing: No such file or directory
pi@ubuntu-standard:~$ sudo cat /etc/openvpn/routing.sh
#! /bin/bash
# Niftiest Software – www.niftiestsoftware.com
# Modified version by HTPC Guides – www.htpcguides.com
VPNIF="tun0"
VPNUSER="vpn"
GATEWAYIP=`ifconfig $VPNIF | egrep -o '([0-9]{1,3}\.){3}[0-9]{1,3}' | egrep -v '255|(127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})' | tail -n1`
if [[ `ip rule list | grep -c 0x1` == 0 ]]; then
ip rule add from all fwmark 0x1 lookup $VPNUSER
fi
ip route replace default via $GATEWAYIP table $VPNUSER
ip route append default via 127.0.0.1 dev lo table $VPNUSER
ip route flush cache
# run update-resolv-conf script to set VPN DNS
/etc/openvpn/update-resolv-conf
exit 0
pi@ubuntu-standard:~$ sudo cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
200 vpn
pi@ubuntu-standard:~$ sudo cat /etc/sysctl.d/9999-vpn.conf
net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.eth0.rp_filter = 2